HIPAA Privacy Rule and Sharing Information Related to Mental Health

Background 

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers with important privacy rights and protections with respect to their health information, including important controls over how their health information is used and disclosed by health plans and health care providers. Ensuring strong privacy protections is critical to maintaining individuals’ trust in their health care providers and willingness to obtain needed health care services, and these protections are especially important where very sensitive information is concerned, such as mental health information. At the same time, the Privacy Rule recognizes circumstances arise where health information may need to be shared to ensure the patient receives the best treatment and for other important purposes, such as for the health and safety of the patient or others. The Rule is carefully balanced to allow uses and disclosures of information—including mental health information—for treatment and these other purposes with appropriate protections. 

Questions and Answers about HIPAA and Mental Health 

Does HIPAA allow a health care provider to communicate with a patient’s family, friends, or other persons who are involved in the patient’s care? 

Yes. In recognition of the integral role that family and friends play in a patient’s health care, the HIPAA Privacy Rule allows these routine – and often critical – communications between health care providers and these persons. Where a patient is present and has the capacity to make health care decisions, health care providers may communicate with a patient’s family members, friends, or other persons the patient has involved in his or her health care or payment for care, so long as the patient does not object. The provider may ask the patient’s permission to share relevant information with family members or others, may tell the patient he or she plans to discuss the information and give them an opportunity to agree or object, or may infer from the circumstances, using professional judgment, that the patient does not object. A common example of the latter would be situations in which a family member or friend is invited by the patient and present in the treatment room with the patient and the provider when a disclosure is made. 

Where a patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others involved in the patient’s care or payment for care, as long as the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient. Note that, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care. 

In all cases, disclosures to family members, friends, or other persons involved in the patient’s care or payment for care are to be limited to only the protected health information directly relevant to the person’s involvement in the patient’s care or payment for care. 

Does HIPAA provide extra protections for mental health information compared with other health information? 

Generally, the Privacy Rule applies uniformly to all protected health information, without regard to the type of information. One exception to this general rule is for psychotherapy notes, which receive special protections. The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date. Psychotherapy notes also do not include any information that is maintained in a patient’s medical record.

Psychotherapy notes are treated differently from other mental health information both because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations purposes, other than by the mental health professional who created the notes. Therefore, with few exceptions, the Privacy Rule requires a covered entity to obtain a patient’s authorization prior to a disclosure of psychotherapy notes for any reason, including a disclosure for treatment purposes to a health care provider other than the originator of the notes. A notable exception exists for disclosures required by other law, such as for mandatory reporting of abuse, and mandatory “duty to warn” situations regarding threats of serious and imminent harm made by the patient (State laws vary as to whether such a warning is mandatory or permissible). 

Is a health care provider permitted to discuss an adult patient’s mental health information with the patient’s parents or other family members? 

In situations where the patient is given the opportunity and does not object, HIPAA allows the provider to share or discuss the patient’s mental health information with family members or other persons involved in the patient’s care or payment for care.


When does mental illness or another mental condition constitute incapacity under the Privacy Rule? For example, what if a patient who is experiencing temporary psychosis or is intoxicated does not have the capacity to agree or object to a health care provider sharing information with a family member, but the provider believes the disclosure is in the patient’s best interests?


HIPAA Privacy Rules permits a health care provider, when a patient is not present or is unable to agree or object to a disclosure due to incapacity or emergency circumstances, to determine whether disclosing a patient’s information to the patient’s family, friends, or other persons involved in the patient’s care or payment for care, is in the best interests of the patient.1 Where a provider determines that such a disclosure is in the patient’s best interests, the provider would be permitted to disclose only the PHI that is directly relevant to the person’s involvement in the patient’s care or payment for care. 


This permission clearly applies where a patient is unconscious. However, there may be additional situations in which a health care provider believes, based on professional judgment, that the patient does not have the capacity to agree or object to the sharing of personal health information at a particular time and that sharing the information is in the best interests of the patient at that time. These may include circumstances in which a patient is suffering from temporary psychosis or is under the influence of drugs or alcohol. If, for example, the provider believes the patient cannot meaningfully agree or object to the sharing of the patient’s information with family, friends, or other persons involved in their care due to her current mental state, the provider is allowed to discuss the patient’s condition or treatment with a family member, if the provider believes it would be in the patient’s best interests. In making this determination about the patient’s best interests, the provider should take into account the patient’s prior expressed preferences regarding disclosures of their information, if any, as well as the circumstances of the current situation. Once the patient regains the capacity to make these choices for herself, the provider should offer the patient the opportunity to agree or object to any future sharing of her information. 

If a health care provider knows that a patient with a serious mental illness has stopped taking a prescribed medication, can the provider tell the patient’s family members? 

So long as the patient does not object, HIPAA allows the provider to share or discuss a patient’s mental health information with the patient’s family members. If the provider believes, based on professional judgment, that the patient does not have the capacity to agree or object to sharing the information at that time, and that sharing the information would be in the patient’s best interests, the provider may tell the patient’s family member. In either case, the health care provider may share or discuss only the information that the family member involved needs to know about the patient’s care or payment for care. 

Otherwise, if the patient has capacity and objects to the provider sharing information with the patient’s family member, the provider may only share the information if doing so is consistent with applicable law and standards of ethical conduct, and the provider has a good faith belief that the patient poses a threat to the health or safety of the patient or others, and the family member is reasonably able to prevent or lessen that threat. For example, if a doctor knows from experience that, when a patient’s medication is not at a therapeutic level, the patient is at high risk of committing suicide, the doctor may believe in good faith that disclosure is necessary to prevent or lessen the threat of harm to the health or safety of the patient who has stopped taking the prescribed medication, and may share information with the patient’s family or other caregivers who can avert the threat. However, absent a good faith belief that the disclosure is necessary to prevent a serious and imminent threat to the health or safety of the patient or others, the doctor must respect the wishes of the patient with respect to the disclosure. 

What options do family members of an adult patient with mental illness have if they are concerned about the patient’s mental health and the patient refuses to agree to let a health care provider share information with the family? 

The HIPAA Privacy Rule permits a health care provider to disclose information to the family members of an adult patient who has capacity and indicates that he or she does not want the disclosure made, only to the extent that the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family members are in a position to lessen the threat. Otherwise, under HIPAA, the provider must respect the wishes of the adult patient who objects to the disclosure. However, HIPAA in no way prevents health care providers from listening to family members or other caregivers who may have concerns about the health and well-being of the patient, so the health care provider can factor that information into the patient’s care. 

In the event that the patient later requests access to the health record, any information disclosed to the provider by another person who is not a health care provider that was given under a promise of confidentiality (such as that shared by a concerned family member), may be withheld from the patient if the disclosure would be reasonably likely to reveal the source of the information. This exception to the patient’s right of access to protected health information gives family members the ability to disclose relevant safety information with health care providers without fear of disrupting the family’s relationship with the patient.

Does HIPAA permit a doctor to contact a patient’s family or law enforcement if the doctor believes that the patient might hurt herself or someone else? 

Yes. The Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others. Specifically, when a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. 

Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.


Finally, the Privacy Rule permits a covered health care provider, such as a hospital, to disclose a patient’s protected health information, consistent with applicable legal and ethical standards, to avert a serious and imminent threat to the health or safety of the patient or others. Such disclosures may be to law enforcement authorities or any other persons, such as family members, who are able to prevent or lessen the threat.

If a doctor believes that a patient might hurt himself or herself or someone else, is it the duty of the provider to notify the family or law enforcement authorities

A health care provider’s “duty to warn” generally is derived from and defined by standards of ethical conduct and State laws and court decisions such as Tarasoff v. Regents of the University of California. HIPAA permits a covered health care provider to notify a patient’s family members of a serious and imminent threat to the health or safety of the patient or others if those family members are in a position to lessen or avert the threat. Thus, to the extent that a provider determines that there is a serious and imminent threat of a patient physically harming self or others, HIPAA would permit the provider to warn the appropriate person(s) of the threat, consistent with his or her professional ethical obligations and State law requirements. In addition, even where danger is not imminent, HIPAA permits a covered provider to communicate with a patient’s family members, or others involved in the patient’s care, to be on watch or ensure compliance with medication regimens, as long as the patient has been provided an opportunity to agree or object to the disclosure and no objection has been made. Does HIPAA prevent a school administrator, or a school doctor or nurse, from sharing concerns about a student’s mental health with the student’s parents or law enforcement authorities? 

Dr. Leathers uses both email and text to communicate with his clients.  With this communication there are risks that clients need to be aware of.  With email and text messages senders can mistakingly send information to unintended recipients.  Email and texts can be circulated, forwarded, stored electronically and may be sent or distributed to unintended recipients.  Some information may not be protected if employers and websites have a right to monitor emails and texts.  Some businesses, entities, or websites may have the right to monitor informations sent using phones, computers, apps, software or other technology platforms.  Messages may not be secure and information may not be protected and confidential information may be accessible to unauthorized or 3rd party entities.  It is possible that deleted messages sent or received may continue to exist as copies on their own devices or on non-authorized devices.  By reading this you agree to the following terms:  Dr. Leathers will not distribute text or email messages to any other person, business, or entity.  However, Dr. Leathers  is not responsible for the security or confidentiality of email and text information sent and received.  When communicating with text and email it is important to understand that messages should not be sent when it is related to urgent or emergency situations, needs or requests.  Dr. Leathers  will make every effort to reply to messages within an hour, but due to unforeseen technological errors, failures or interruption of communication phone, wifi, or internet services, Dr. Leathers cannot promise or guarantee that messages will be read with urgency or within any specified time frame. All messages sent should be related to scheduling needs or non-emergent medication related issues. If a client does not want certain information to be made available to unintended recipients, then the issue of concern should be discussed in person, in the privacy of Dr. Leathers’ office.  

____________________________________

Policies: Legal, Privacy, Disclaimers, Terms and Conditions

_____________________________________

By using the website, you accept and agree to these terms and conditions below.  If you do not agree to these terms and conditions, do not use the websites associated with Jay Leathers M.D.  

This is the web site (“site”) of Jay Leathers MD, YorbaLIndaPsychiatry.com and Leathers MD Concierge Psychiatry.  Jay Leathers MD, YorbaLIndaPsychiatry.com and Leathers MD Concierge Psychiatry are one and the same.  Please read the following Terms and Conditions of Use before using the site. It provides details of your relationship with Jay Leathers MD regarding your use of the site.

The information provided on the Websites is not a substitute for the advice of a personal physician or other qualified health care professional. Always seek the advice of a physician or other qualified health care professional with any questions regarding medical symptoms or a medical  or mental health condition. Never disregard professional medical advice or delay in seeking it because of something you have read on the Websites.

This website strives to provide up-to-date information. However, the field of psychiatry and medicine is always changing and errors can occur. By reading the information on this website, the viewer assumes all risks in connection with such use. Neither the author(s) nor Jay Leathers MD shall be held responsible or liable for errors or any other damages resulting from any viewer(s)' use of the information contained within the site.

 

This site is not to be used to provide a diagnosis of your condition or a recommendation about any treatment that may be indicated or needed. If you think you or someone you are taking care of has a medical or psychiatric emergency, call 911 or go to the nearest hospital.

Users who engage in electronic commerce with Jay Leathers MD are ensured legitimate security measures.  E-commerce transactions are implemented under tightly controlled circumstances, with appropriate technological safeguards in place to protect financial and other sensitive data.  The e-commerce systems used by Jay Leathers MD  ensures that financial data remains secure.  Financial data and information is not collected by Jay Leathers MD.  Rather, designated banks and financial institutions route the data, facilitates the transfer of funds, authenticates the funds and confirms payment to both you and Jay Leathers MD.  

The information contained within the site may only be used for personal use and any use of this information such as selling content, self service treatment, creating study guides, writing educational papers, citing or quoting the information from this site in lectures or posting information on another web site is strictly prohibited.  In addition, it is illegal to print out multiple copies of the information contained in this website or transmit the data from this website to a third party.  

 

Jay Leathers MD is the owner or licensee of all rights in this site, its content, software, and services. You have no right to such content, software or services if not expressly granted in this Agreement. Jay Leathers, MD and the logos or other proprietary marks of Jay Leathers MD Concierge Psychiatry, licensors and partners are trademarks of Jay Leathers MD or its licensors and partners. 

This site makes every effort and uses up-to-date information to ensure the accuracy of it’s content and information.  However, errors can still occur.  Jay Leathers MD has no warranty and this site makes no claim that it operates for a particular use or purpose and Jay Leathers MD disclaims any warranty that the site will operate without error.  Jay Leathers MD makes no warranty as to the authenticity, accuracy, usefulness, sufficiency, completeness or credibility of the services or information provided within the site.

You Alone are Responsible for Your Actions as a result of Your Use of this site and 

You agree to be solely responsible for your use of this site.  Jay Leathers MD shall not be liable for for any damages you may suffer or cause through your use of this site and Jay Leathers MD shall not be liable tor any damages arising out of your use or inability to use this site.  

You agree to indemnify and hold Jay Leathers MD harmless for any claims, losses or damages, including attorneys fees, resulting from your breach of these terms or use of this Web site.

Jay Leathers MD is Not Responsible for Any Links To or From Other Sites.

This Web site may contain links to other Web sites, and other Web sites may provide links to this Site. These links are provided for your convenience only and the inclusion of such links does not constitute any endorsement of the destination web site nor the content, authenticity, opinion or policies. Jay Leathers MD does not control these other sites and assumes no liability or responsibility for them, including any content or services provided to you by such sites. You should not consider any link to or from another site as an endorsement of that site by Jay Leathers MD.

 

You agree that Jay Leathers MD may use your name, mobile phone number, text messaging, e-mail address, physical address, or other data to communicate with you. Jay Leathers MD will not sell this information to any other party.  You agree to have 

Dr. Leathers uses both email and text to communicate with his clients.  With this communication there are risks that clients need to be aware of.  With email and text, senders can mistakingly send information to unintended recipients.  Email and texts can be circulated, forwarded, stored electronically and may be sent or distributed to unintended recipients.  Some information may not be protected if employers or websites have a right to monitor emails and texts.  Some businesses, entities, or websites may have the right to monitor information sent using phones, computers, apps, software or other technology platforms.  Messages may not be secure and information may not be protected, and confidential information may be accessible to unauthorized or 3rd party entities.  It is possible that deleted messages sent or received may continue to exist as copies on their own devices or on non-authorized devices.  By scheduling an appointment you agree to the following terms:  Dr. Leathers will not distribute text or email messages to any other person, business, or entity.  However, Dr. Leathers  is not responsible for the security or confidentiality of email and text information sent and received.  When communicating with text and email it is important to understand that messages should not be sent when it is related to urgent matters, emergency situations, or sensitive personal needs or requests.  Dr. Leathers will make every effort to reply to messages within an hour, but due to his personal schedule or unforeseen technological errors, failures or interruption of communication devices such as phone, wifi, or internet services, Dr. Leathers cannot promise or guarantee that messages will be read with urgency or within any specified time frame. All messages sent should be related to scheduling needs or non-emergent medication related issues. If a client does not want certain information to be made available to unintended recipients, then the issue of concern should be discussed in person, in the privacy of Dr. Leathers’ office.  

This Agreement shall be governed by and construed in accordance with the laws of the State of California, United States of America, as such laws would apply to a contract fully negotiated, entered into, and performed in that state.

 

You Agree to Arbitrate Any Dispute Between Us.

 

You agree that any dispute, controversy or claim arising out of or related to these Terms or your use of the Site will be resolved and settled through arbitration administered by the American Arbitration Association and conducted in Orange County, California, United States of America. Judgment on any award rendered by the arbitrator may be entered in any court of competent jurisdiction.  Any Action Against Jay Leathers MD Must be Brought in California.  You agree that the state or federal courts located in or serving Orange County, California, United States of America, shall have exclusive jurisdiction and venue over any action arising out of or relating to these Terms or your use of this Site. You waive any claim that a court located in or serving Orange County, California, lacks personal jurisdiction over you, is an improper venue, or is an inconvenient forum.

These Terms and conditions constitute the only agreement between you and Jay Leathers MD regarding your use of this web site.  Jay Leathers MD may modify these Terms at any time.